Looking back I’m sort of surprised I haven’t really written anything about Symantec’s MSS yet. On some level I’m guessing the ArcSight folks might have thought I was beating them up a little in some of my posts but for whatever reason I’m not as inclined to do that with this. I think maybe it has something to do with making my momma proud and listening to the old adage of ‘if you don’t have anything nice to say….’ Don’t get me wrong, Symantec’s MSS has some great people and has been good as a service that detects and alerts on bad stuffs.
I guess the main difference is that I actually liked using ArcSight. As a tool it was freaking powerful in that we could use it to detect stuff and we could then interact with the data that was being sucked in. Of all the custom content I developed one that I especially enjoyed was manipulating a couple data streams to give unique insight into a business problem. Funny that – using security to address a business issue.
So if you are using an MSSP do you still need to interact with the data?; after all what you are probably looking for is outsourcing your detection capabilities. This thought deserves its own post honestly but the short answer is a strong – absolutely. One could write a small book on feature requests I have submitted in that vein, why they are needed, and potentially in a different light why they are missing from the current offering. By far the strongest need I have though is the ability to query the data and create my own reports. There is simply no getting around this issue.
Any thoughts out there? I would ask and interact with folks on the Symantec MSS community site….only one doesn’t exist.
No comments:
Post a Comment